Move XContent generation to HasPrivilegesResponse (#35616)

The RestHasPrivilegesAction previously handled its own XContent
generation. This change moves that into HasPrivilegesResponse and
makes the response implement ToXContent.

This allows HasPrivilegesResponseTests to be used to test
compatibility between HLRC and X-Pack internals.

A serialization bug (cluster privs) was also fixed here.

Author: tvernum

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/user/HasPrivilegesResponse.java

@@ -9,11 +9,14 @@
 import org.elasticsearch.action.ActionResponse;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
+import org.elasticsearch.common.xcontent.ToXContentObject;
+import org.elasticsearch.common.xcontent.XContentBuilder;
 
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Comparator;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -22,24 +25,35 @@
 /**
  * Response for a {@link HasPrivilegesRequest}
  */
-public class HasPrivilegesResponse extends ActionResponse {
+public class HasPrivilegesResponse extends ActionResponse implements ToXContentObject {
+    private String username;
     private boolean completeMatch;
     private Map<String, Boolean> cluster;
     private List<ResourcePrivileges> index;
     private Map<String, List<ResourcePrivileges>> application;
 
     public HasPrivilegesResponse() {
-        this(true, Collections.emptyMap(), Collections.emptyList(), Collections.emptyMap());
+        this("", true, Collections.emptyMap(), Collections.emptyList(), Collections.emptyMap());
     }
 
-    public HasPrivilegesResponse(boolean completeMatch, Map<String, Boolean> cluster, Collection<ResourcePrivileges> index,
+    public HasPrivilegesResponse(String username, boolean completeMatch, Map<String, Boolean> cluster, Collection<ResourcePrivileges> index,
                                  Map<String, Collection<ResourcePrivileges>> application) {
         super();
+        this.username = username;
         this.completeMatch = completeMatch;
         this.cluster = new HashMap<>(cluster);
-        this.index = new ArrayList<>(index);
+        this.index = sorted(new ArrayList<>(index));
         this.application = new HashMap<>();
-        application.forEach((key, val) -> this.application.put(key, Collections.unmodifiableList(new ArrayList<>(val))));
+        application.forEach((key, val) -> this.application.put(key, Collections.unmodifiableList(sorted(new ArrayList<>(val)))));
+    }
+
+    private static List<ResourcePrivileges> sorted(List<ResourcePrivileges> resources) {
+        Collections.sort(resources, Comparator.comparing(o -> o.resource));
+        return resources;
+    }
+
+    public String getUsername() {
+        return username;
     }
 
     public boolean isCompleteMatch() {
@@ -62,13 +76,40 @@ public Map<String, List<ResourcePrivileges>> getApplicationPrivileges() {
         return Collections.unmodifiableMap(application);
     }
 
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        final HasPrivilegesResponse response = (HasPrivilegesResponse) o;
+        return completeMatch == response.completeMatch
+            && Objects.equals(username, response.username)
+            && Objects.equals(cluster, response.cluster)
+            && Objects.equals(index, response.index)
+            && Objects.equals(application, response.application);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(username, completeMatch, cluster, index, application);
+    }
+
     public void readFrom(StreamInput in) throws IOException {
         super.readFrom(in);
         completeMatch = in.readBoolean();
+        if (in.getVersion().onOrAfter(Version.V_6_6_0)) {
+            cluster = in.readMap(StreamInput::readString, StreamInput::readBoolean);
+        }
         index = readResourcePrivileges(in);
         if (in.getVersion().onOrAfter(Version.V_6_4_0)) {
             application = in.readMap(StreamInput::readString, HasPrivilegesResponse::readResourcePrivileges);
         }
+        if (in.getVersion().onOrAfter(Version.V_6_6_0)) {
+            username = in.readString();
+        }
     }
 
     private static List<ResourcePrivileges> readResourcePrivileges(StreamInput in) throws IOException {
@@ -86,10 +127,16 @@ private static List<ResourcePrivileges> readResourcePrivileges(StreamInput in) t
     public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);
         out.writeBoolean(completeMatch);
+        if (out.getVersion().onOrAfter(Version.V_6_6_0)) {
+            out.writeMap(cluster, StreamOutput::writeString, StreamOutput::writeBoolean);
+        }
         writeResourcePrivileges(out, index);
         if (out.getVersion().onOrAfter(Version.V_6_4_0)) {
             out.writeMap(application, StreamOutput::writeString, HasPrivilegesResponse::writeResourcePrivileges);
         }
+        if (out.getVersion().onOrAfter(Version.V_6_6_0)) {
+            out.writeString(username);
+        }
     }
 
     private static void writeResourcePrivileges(StreamOutput out, List<ResourcePrivileges> privileges) throws IOException {
@@ -100,6 +147,49 @@ private static void writeResourcePrivileges(StreamOutput out, List<ResourcePrivi
         }
     }
 
+    @Override
+    public String toString() {
+        return getClass().getSimpleName() + "{"
+            + "username=" + username + ","
+            + "completeMatch=" + completeMatch + ","
+            + "cluster=" + cluster + ","
+            + "index=" + index + ","
+            + "application=" + application
+            + "}";
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject()
+            .field("username", username)
+            .field("has_all_requested", completeMatch);
+
+        builder.field("cluster");
+        builder.map(cluster);
+
+        appendResources(builder, "index", index);
+
+        builder.startObject("application");
+        for (String app : application.keySet()) {
+            appendResources(builder, app, application.get(app));
+        }
+        builder.endObject();
+
+        builder.endObject();
+        return builder;
+    }
+
+    private void appendResources(XContentBuilder builder, String field, List<HasPrivilegesResponse.ResourcePrivileges> privileges)
+        throws IOException {
+        builder.startObject(field);
+        for (HasPrivilegesResponse.ResourcePrivileges privilege : privileges) {
+            builder.field(privilege.getResource());
+            builder.map(privilege.getPrivileges());
+        }
+        builder.endObject();
+    }
+
+
     public static class ResourcePrivileges {
         private final String resource;
         private final Map<String, Boolean> privileges;

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/action/user/HasPrivilegesResponseTests.java

@@ -0,0 +1,167 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.core.security.action.user;
+
+import org.elasticsearch.Version;
+import org.elasticsearch.common.bytes.BytesReference;
+import org.elasticsearch.common.collect.MapBuilder;
+import org.elasticsearch.common.io.stream.BytesStreamOutput;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.common.xcontent.ToXContent;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.XContentParser;
+import org.elasticsearch.common.xcontent.XContentType;
+import org.elasticsearch.protocol.AbstractHlrcStreamableXContentTestCase;
+import org.elasticsearch.test.VersionUtils;
+import org.hamcrest.Matchers;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+import static org.hamcrest.Matchers.equalTo;
+
+public class HasPrivilegesResponseTests
+    extends AbstractHlrcStreamableXContentTestCase<HasPrivilegesResponse, org.elasticsearch.client.security.HasPrivilegesResponse> {
+
+    public void testSerializationV64OrV65() throws IOException {
+        final HasPrivilegesResponse original = randomResponse();
+        final Version version = VersionUtils.randomVersionBetween(random(), Version.V_6_4_0, Version.V_6_5_1);
+        final HasPrivilegesResponse copy = serializeAndDeserialize(original, version);
+
+        assertThat(copy.isCompleteMatch(), equalTo(original.isCompleteMatch()));
+        assertThat(copy.getClusterPrivileges().entrySet(), Matchers.emptyIterable());
+        assertThat(copy.getIndexPrivileges(), equalTo(original.getIndexPrivileges()));
+        assertThat(copy.getApplicationPrivileges(), equalTo(original.getApplicationPrivileges()));
+    }
+
+    public void testSerializationV63() throws IOException {
+        final HasPrivilegesResponse original = randomResponse();
+        final HasPrivilegesResponse copy = serializeAndDeserialize(original, Version.V_6_3_0);
+
+        assertThat(copy.isCompleteMatch(), equalTo(original.isCompleteMatch()));
+        assertThat(copy.getClusterPrivileges().entrySet(), Matchers.emptyIterable());
+        assertThat(copy.getIndexPrivileges(), equalTo(original.getIndexPrivileges()));
+        assertThat(copy.getApplicationPrivileges(), equalTo(Collections.emptyMap()));
+    }
+
+    public void testToXContent() throws Exception {
+        final HasPrivilegesResponse response = new HasPrivilegesResponse("daredevil", false,
+            Collections.singletonMap("manage", true),
+            Arrays.asList(
+                new HasPrivilegesResponse.ResourcePrivileges("staff",
+                    MapBuilder.<String, Boolean>newMapBuilder(new LinkedHashMap<>())
+                        .put("read", true).put("index", true).put("delete", false).put("manage", false).map()),
+                new HasPrivilegesResponse.ResourcePrivileges("customers",
+                    MapBuilder.<String, Boolean>newMapBuilder(new LinkedHashMap<>())
+                        .put("read", true).put("index", true).put("delete", true).put("manage", false).map())
+            ), Collections.emptyMap());
+
+        final XContentBuilder builder = XContentBuilder.builder(XContentType.JSON.xContent());
+        response.toXContent(builder, ToXContent.EMPTY_PARAMS);
+        BytesReference bytes = BytesReference.bytes(builder);
+
+        final String json = bytes.utf8ToString();
+        assertThat(json, equalTo("{" +
+            "\"username\":\"daredevil\"," +
+            "\"has_all_requested\":false," +
+            "\"cluster\":{\"manage\":true}," +
+            "\"index\":{" +
+            "\"customers\":{\"read\":true,\"index\":true,\"delete\":true,\"manage\":false}," +
+            "\"staff\":{\"read\":true,\"index\":true,\"delete\":false,\"manage\":false}" +
+            "}," +
+            "\"application\":{}" +
+            "}"));
+    }
+
+    @Override
+    protected boolean supportsUnknownFields() {
+        // Because we have nested objects with { string : boolean }, unknown fields cause parsing problems
+        return false;
+    }
+
+    @Override
+    protected HasPrivilegesResponse createBlankInstance() {
+        return new HasPrivilegesResponse();
+    }
+
+    @Override
+    protected HasPrivilegesResponse createTestInstance() {
+        return randomResponse();
+    }
+
+    @Override
+    public org.elasticsearch.client.security.HasPrivilegesResponse doHlrcParseInstance(XContentParser parser) throws IOException {
+        return org.elasticsearch.client.security.HasPrivilegesResponse.fromXContent(parser);
+    }
+
+    @Override
+    public HasPrivilegesResponse convertHlrcToInternal(org.elasticsearch.client.security.HasPrivilegesResponse hlrc) {
+        return new HasPrivilegesResponse(
+            hlrc.getUsername(),
+            hlrc.hasAllRequested(),
+            hlrc.getClusterPrivileges(),
+            toResourcePrivileges(hlrc.getIndexPrivileges()),
+            hlrc.getApplicationPrivileges().entrySet().stream()
+                .collect(Collectors.toMap(Map.Entry::getKey, e -> toResourcePrivileges(e.getValue())))
+            );
+    }
+
+    private static List<HasPrivilegesResponse.ResourcePrivileges> toResourcePrivileges(Map<String, Map<String, Boolean>> map) {
+        return map.entrySet().stream()
+            .map(e -> new HasPrivilegesResponse.ResourcePrivileges(e.getKey(), e.getValue()))
+            .collect(Collectors.toList());
+    }
+
+    private HasPrivilegesResponse serializeAndDeserialize(HasPrivilegesResponse original, Version version) throws IOException {
+        logger.info("Test serialize/deserialize with version {}", version);
+        final BytesStreamOutput out = new BytesStreamOutput();
+        out.setVersion(version);
+        original.writeTo(out);
+
+        final HasPrivilegesResponse copy = new HasPrivilegesResponse();
+        final StreamInput in = out.bytes().streamInput();
+        in.setVersion(version);
+        copy.readFrom(in);
+        assertThat(in.read(), equalTo(-1));
+        return copy;
+    }
+
+    private HasPrivilegesResponse randomResponse() {
+        final String username = randomAlphaOfLengthBetween(4, 12);
+        final Map<String, Boolean> cluster = new HashMap<>();
+        for (String priv : randomArray(1, 6, String[]::new, () -> randomAlphaOfLengthBetween(3, 12))) {
+            cluster.put(priv, randomBoolean());
+        }
+        final Collection<HasPrivilegesResponse.ResourcePrivileges> index = randomResourcePrivileges();
+        final Map<String, Collection<HasPrivilegesResponse.ResourcePrivileges>> application = new HashMap<>();
+        for (String app : randomArray(1, 3, String[]::new, () -> randomAlphaOfLengthBetween(3, 6).toLowerCase(Locale.ROOT))) {
+            application.put(app, randomResourcePrivileges());
+        }
+        return new HasPrivilegesResponse(username, randomBoolean(), cluster, index, application);
+    }
+
+    private Collection<HasPrivilegesResponse.ResourcePrivileges> randomResourcePrivileges() {
+        final Collection<HasPrivilegesResponse.ResourcePrivileges> list = new ArrayList<>();
+        for (String resource : randomArray(1, 3, String[]::new, () -> randomAlphaOfLengthBetween(2, 6))) {
+            final Map<String, Boolean> privileges = new HashMap<>();
+            for (String priv : randomArray(1, 5, String[]::new, () -> randomAlphaOfLengthBetween(3, 8))) {
+                privileges.put(priv, randomBoolean());
+            }
+            list.add(new HasPrivilegesResponse.ResourcePrivileges(resource, privileges));
+        }
+        return list;
+    }
+}

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/user/TransportHasPrivilegesAction.java

@@ -168,7 +168,7 @@ private void checkPrivileges(HasPrivilegesRequest request, Role userRole,
             privilegesByApplication.put(applicationName, appPrivilegesByResource.values());
         }
 
-        listener.onResponse(new HasPrivilegesResponse(allMatch, cluster, indices.values(), privilegesByApplication));
+        listener.onResponse(new HasPrivilegesResponse(request.username(), allMatch, cluster, indices.values(), privilegesByApplication));
     }
 
     private boolean testIndexMatch(String checkIndex, String checkPrivilegeName, Role userRole,